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The number of devices linked to the internet is rapidly increasing as the 
internet has become ingrained in every aspect of modern life. However, 
certain issues are getting worse, and their resolutions are not well-defined. 
One of the main issues is convergence and speed for communication 
between different internet of things (IoT) devices and their security. For that 
purpose, in this paper, an improved artificial bee colony (ABC) algorithm 
with binary search equations along with neural networks is proposed, known 
as the artificial bee colony algorithm with binary search equations (BABCN) 
algorithm for intrusion detection in terms of convergence and speed for 
communication. The depth-first search framework and binary search 
equations on which the artificial bee colony algorithm with binary search 
equations algorithm is built improve the algorithm’s capacity for 
exploitation and speed up convergence. The initial weight and threshold 
value of the ABC neural networks are optimized using an algorithm to 
prevent them from entering a local optimum during the training procedure 
and accelerating training. The NSL-KDD dataset was used, and based on the 
results; the proposed algorithm improves classification and has high 
intrusion detection ability in the network. The proposed has undergone tests 
to be evaluated, and the results show that it performs better in detection 
accuracy, time, and false positive rate. 
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1. INTRODUCTION 


The number of devices associated with the internet is rapidly rising as the internet has become 
ingrained in every aspect of modern life. Particularly, internet of things (IoT) gadgets are becoming 
commonplace in everyday life. However, certain issues are becoming worse, and their solutions are also 
being discussed by different researchers [1]. In cloud and IoT security techniques, intrusion detection is used 
to identify, verify, and thwart illegal entry into a computer network or internetwork. Due to the impressive 
developments in data technology, there are important network confidentiality battles to win. Consequently, it 
is imperative to have an intrusion detection system (IDS) for the security of a network [2]. 

IDS fall under several categories of distinct approaches. The two primary divisions are active and 
inactive IDS. The traditional active IDS is unable to address newly emerging threats. Due to its enormous 
number of components and features, one of the primary challenges in finding intrusions is to locate and 
distinguish between regular and anomalous network connections. IDS is frequently used to determine how 
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and where intrusions occur. The investigators conducted a thorough investigation of several element selection 
strategies to achieve real-time intrusion detection [3]. 

A compelling argument for improving the accuracy and speed of categorization schemes is to reduce 
the number of features based on the selection of the essential characteristics. Machine learning techniques 
have been widely used to recognize various attack types, and they can assist network administrators in 
responding to network attacks by guiding them toward the best course of action. The majority of these 
conventional machine learning techniques, however, fall within the shallow learning category and require 
extensive feature extraction and feature selection [4]. Due to its enormous number of components and 
features, one of the primary challenges in finding intrusions is to locate and distinguish between regular and 
anomalous network connections. IDS is frequently used to determine how and where intrusions occur. The 
classifier, which uses a detection mechanism to distinguish between intrusion and normal activity, is the 
fundamental component of an IDS. It can be difficult to implement a classifier with an accurate detection 
method, especially in IoT and cloud computing networks with lots of devices [5], [6]. Figure 1 presents the 
structure of IoT and cloud computing (CC) integration and working criteria. The rest of this paper is 
structured as follows: section 2 presents information about related work, section 3 discusses the proposed 
algorithm, section 4 covers the parameters, section 5 presents the results, and section 6 discusses the 
conclusion. 
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Figure 1. Structure of CC and IoT [7] 


2. RELATED WORK 

The two main types of intrusion detection techniques are anomaly-based and signature-based. With 
signature-based approaches, several intrusion patterns that have been tested and proven effective against 
them are stored in the system as predefined signatures. Additionally, the system compares the actions taken 
with these patterns, and if a similar pattern is seen, it will be labeled as an intrusion. Naturally, these 
techniques cannot identify brand-new or zero-day risks. These techniques, however, are particularly good at 
identifying recognized risks and their patterns [8]. A vision of typical activity is constructed using anomaly- 
based methods, after which an anomaly may denote an intrusion. It is well recognized that because there is no 
set pattern for monitoring, aberrant intrusions are exceedingly challenging to find. An occurrence is typically 
deemed abnormal if it occurs considerably more frequently or less frequently than a threshold [9]. Some AI 
methods employ tree-based algorithms like decision trees and random forests, which can build a structure for 
successfully detecting infiltration. In a decision tree algorithm, decisions are made step by step in accordance 
with the parameters of the problem. However, a decision tree may not always be sufficient to model a 
problem. Therefore, multiple decision trees are employed in random forest algorithms to improve overall 
decision-making accuracy. For software-defined networks, Xu et al. [10] have presented an anomaly-based 
method (IDSML) that enhances detection performance by combining many distinct tree-based methods. 
Neural networks are employed in other AI methods to accurately determine whether a specific occurrence 
resembles known patterns. Neural networks are made up of a number of interconnected nodes and have the 
ability to recognize patterns. According to Revathi and Malathi [11], calculations in a neural network take a 
long time since decision-making problems have a lot of parameters. Neural networks have been the primary 
detection method in numerous studies. 

The artificial bee colony (ABC) algorithm was created in 2005 by Karaboga as a heuristic swarm 
intelligence system to resemble the group behavior of honeybees. It was initially created to address some 
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issues with numerical optimization. According to Vinayakumar et al. [12], the ABC algorithm was used to 
optimize multivariate functions, and it was compared to other methods like the genetic algorithm (GA) and 
particle swarm optimization (PSO). The results show that ABC is a superior algorithm over others. On the 
other hand, the ABC algorithm struggles with exploitation and is prone to settle into a local optimum while 
excelling in exploring the answer. The GABC algorithm, which enhances exploitation by including 
information on the global optimal solution in the solution search equation, was introduced as an upgrade to 
the ABC algorithm [13]. According to Mishra et al. [14], a multi-strategy ensemble artificial bee colony 
(MEABC) algorithm was suggested. In MEABC, a variety of unique solution search tactics cohabit and 
compete for offspring throughout the search process. When applied to continuous optimization issues, the 
MEABC approach significantly enhances the performance of ABC. According to Karaboga and Ozturk [15], 
an ABC algorithm incorporating elite-guided search equations and a depth-first architecture, called DFSABC 
elite, was introduced. The algorithm's ability to be exploited is improved by giving superior solutions higher 
priority for computational resources. 


2.1. Contribution of paper 

The main purpose of the suggested model for the developed approach is outlined below NSL-KDD 
dataset. The network traffic signal is directly picked information in the NSL-KDD dataset. The IDS typical 
analysis is carried out by this dataset. Information preprocessing groups information for categorization and 
eliminates repetitive and unexpected occurrences. Selection of a feature it has been determined that the 
particular subset used the random feature selection method ABC and single feature selection method 
Gaussian distribution strategies to further the categorization. Hybrid categorization is to increase the accuracy 
of categorization, categorization is carried out using the artificial bee colony algorithm with binary search 
equations (BABCN) schemes [16]. 


3. PROPOSED ALGORITHM 

The population-based, iterative ABC method is a powerful approach for tackling numerical 
optimization issues. The previous papers mentioned are [17]. Equations are stronger for exploration than for 
exploitation. Additionally, the ABC algorithm's convergence performance is not outstanding. Therefore, in 
[18], a binary search framework (BSF) and two search equation solutions, as given in (1), were suggested to 
better balance exploration and exploitation. This process, known as BSF, is used for improving the 
algorithm's ability to be exploited. The BSF framework can give better solutions higher priority when 
allocating more computational resources. The search equations retain the answer with the highest fitness 
value on each iteration, hastening the algorithm's training [19]. 


Vij = Xej t bej xX (Xej — Xr) (1) 
Ve,j = = (Xe,j a Xpest,j) + Pej x (Xnest, j = Xk j) (2) 


Where the solutions X, and X, were randomly selected from the binary search solution and the current 
population, respectively. Neither e nor k are equivalent to one another. Xpest is currently the best choice. i, j 
and e, j are two random real values in the range [-1, 1]. In order to better balance ABC exploration and 
exploitation capacities, in paper [20], the problem that the candidate solution search equation in paper [21] 
has an overly significant disruption to the search solution is addressed. It then presents a binary search 
equation. 

Different search equations should be utilized for the candidate solutions and the accepted solutions. 
Where X; is a randomly chosen solution from the current population and X, is a solution chosen at random 
from the binary search solution. e and k are not interchangeable terms. Right now, Xpest is the best option. 
Two random real variables in the [-1, 1] in the given range. The issue that the candidate solution search 
equation in paper [22] has an excessively significant disruption to the search solution is addressed in article 
[23] in order to better balance ABC's exploration and exploitation capacities. A binary search equation is then 
presented. Different search equations should be employed for the candidate solutions and the accepted 
solutions. 


cı Xpbest;+c2 xgbest 


P, = (3) 


C1 +C2 


gbest+pbest; 
2 


X,;=N ( ,gbest — pest; ) (4) 
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In this situation, N stands for the Gaussian distribution, gbest + pbest; for the mean, and 
gbest, pbest; for the standard deviation. The Gaussian distribution in (3) is used to take advantage of the 
information around pbest and gbest. According to (4) a comparable Gaussian search equation is suggested 
[24]. 


Xbest,jtXij 
Vej =N (Pa Yrest - Xi) (5) 
1 
Vej = 5 Key + Xpest,j) + (Xej + Xpest,j) + fej Xnest,j ~ Xej) (6) 
net; = Yin i jXi + 4; (7) 


Finally, the neural network is trained using the backpropagation method using the initial weight and 
threshold values produced by the BABCN algorithm. By using gradient descent, the backpropagation method 
attempts to reduce the training error. The neural network for network traffic intrusion detection will employ 
the weights and thresholds with the minimum training error as its parameters [25]. The working criteria of the 
proposed backpropagation and neural network are as follows: choose a sample of data for training, then 
generate the weight values at random for the connections between the hidden layer neurons and the output 
layer neurons (@;,) and the hidden layer neurons and the input layer neurons (wj). Additionally, create the 
threshold values j of the neurons in the hidden layer and k of the output layer [26]. 


Vey = 5 (Ke,j + Xnestj) + PXe, + Xrest,j) + be, Xoest,j — Xe,j) (8) 
net; = Xit Wi Xi + 9; (9) 
yj = 94 (net;) (10) 
net, = Wes WjkYj + Ox (11) 
Zk = 92(net,) (12) 


According to (8), the neural network's error is estimated. If the error fulfills the criteria, (9) and (10) 
are followed; otherwise, (11) is followed with (12). 


IW) = Ekale a) (13) 


In (13) and (14) modify the threshold and weight values between the hidden layer and the output 
layer. The weight and threshold values between the input layer and the hidden layer are changed in 
accordance with (15) [27], [28]. 


Vwjkr = (th — Zr)ð2'(netk)yj (14) 
VO, = (ty — 24 )92'(net,) (15) 
Voi = nk- Oj 5x] 91 (net) xi (16) 
VO; = n|} xx] 91 '(net;) (17) 
ôk = — ron = a an = (ty — 2)82"(net,) (18) 


The new weight standards w;; and the new threshold values j between the input layer and the hidden 
layer, as well as the new weight values w,, and the new threshold values k between the hidden layer and the 
output layer, can be obtained after the results found in (16) [29]. After learning the results from (17) [30], it is 
possible to recover the new weight values w,;; and the new threshold values j between the input layer and the 
hidden layer, as well as the new weight values w,;,and the new threshold values k between the hidden layer 
and the output layer. 
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1 
sf xz0 
are 1+f(X;) us 
= l 1+IFEDIXD<0 (19) 


Rerun into step (18) using the updated weight and threshold values. Stop the training process if the 
error complies with the specifications. Otherwise, obtain the relevant output signal from the neural network 
by using the present weights and thresholds as neural work input signals. The goal function of (18) is set to 
the loss function of a neural network, (19). Decide what the max cycle number (MCN) should be. Figure 2 
presents the working approach [31]. 
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Figure 2. Working on the proposed approach 


4. EVALUATION METRICS 
The following evaluation parameters are measured in this paper, which are as (20). 


Aca AN (20) 


~~ TP+TN+FP+FN 


Accuracy (AC) is defined by (20) as the proportion of samples that have been correctly identified to all 
samples (41) [28]. 


TP 
~~ TP+FN 


TPR (21) 


The true positive rate (TPR), which is the percentage of correctly identified anomaly samples over all 
anomaly samples, is equal to the detection rate (DR) [32]. 


FP 
FP+TN 


FPR = (22) 
The ratio of the total number of normal samples to the number of normal samples that were incorrectly 
labeled as anomaly samples is known as the false positive rate (FPR) [33]. 


4.1. Data set 

A data set called NSL-KDD has been proposed to address some of the underlying issues. The NSL- 
KDD train and test sets have a respectable number of records. Due to this benefit, all of the data can be used 
for the tests instead of just a tiny sample that must be chosen at random. As a result, evaluation findings from 
various research projects will be comparable and consistent [34]. 


5. RESULTS AND DISCUSSION 

The results obtained from the multiclass classification are compared with the proposed algorithm in 
Table 1. Categorization issues arise when choosing a model's threshold. The two parameters of the receiver 
operating characteristic (ROC) curve, genuine positives and rate of false positives are mentioned in Table 1. 
In terms of deciding which data to employ for classification analysis, an area under the curve (AUC) is the 
best predictor of a model. The ROC curve is one instance of its use. The true positive rate in this case is 
compared against the false positive rate. Table 2 illustrates how the random forest (RF) performed well for 
multiclass classification as a whole. 


Int J Adv Appl Sci, Vol. 13, No. 1, March 2024: 24-32 


Int J Adv Appl Sci ISSN: 2252-8814 o 29 


The performance measurement tool is displayed in an ROC curve. Categorization issues arise when 
choosing a model's threshold. The two parameters of this ROC curve are genuine positives and the rate of 
false positives. Table 2 displays the outcomes of a 32-batch operation. In this case, the mean accuracy of the 
proposed BABCN algorithm classifier declined as the number of research epochs increased. When the 
number of epochs increased from 10 to 32, the accuracy decreased. Figure 3 presents the batch operation of 
different algorithms, Figure 3(a) shows the elapsed time of the different algorithms, and Figure 3(b) shows 
the epoch time of the different algorithms. 

Tables 3 and 4 display the outcomes for batch sizes of 64 and 128. The mean accuracy of the 
proposed BABCN algorithm classifier seemed to have increased as the number of research epochs grew. 
When the number of epochs increased from 15 to 45, there was a minor decrease for the BABCN, and then it 
increased at 45 epochs. Table 4 shows that a larger batch size could result in a shorter duration time. Figure 4 
presents the accuracy of different approaches. 
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Figure 3. The batch operation of (a) elapsed time of different algorithms and (b) epoch time of different 
algorithms 
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Figure 4. Accuracy of different approaches 


Table 1. Shows the results of different parameters in classification 


Algorithm AUC DDoS _AUC DoS _AUC reconnaissance _AUC normal _AUC theft 
MLP algorithm 0.98 0.98 0.99 1 0.96 
ABC algorithm 0.98 0.98 0.99 1 
Proposed BABCN algorithm 0.98 0.98 0.98 1 0.95 


Multilayer perceptron (MLP); denial of service (DoS); distributed denial of service (DDoS) 
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Table 2. Metrics batch size 32 


Algorithm Epoch Mean accuracy Elapsed time 
MLP algorithm 10 0.98 0.99 
ABC algorithm 30 0.97 0.98 
Proposed BABCN algorithm 32 0.99 0.97 


Table 3. Metrics batch size 64 


Algorithm Epoch _Mean accuracy _Elapsed time 
MLP algorithm 25 0.98 0.99 
ABC algorithm 35 0.97.6 0.99 
Proposed BABCN algorithm 45 0.98.8 0.99 


Table 4. Metrics batch size 128 


Algorithm Epoch _ Mean accuracy _ Elapsed time 
MLP algorithm 35 0.98 0.99 
ABC algorithm 40 0.98 0.99 
Proposed BABCN algorithm 49 0.99 0.99 


6. CONCLUSION 

We looked at various machine learning and deep learning techniques on an IoT network and 
compared them with our proposed approach in this study. We took into account the analysis of RF, 
convolutional neural network (CNN), MLP, and the proposed BABCN algorithm. The best outcome in terms 
of multiclass classification accuracy and AUC was achieved by random forests and CNN. In trials with 32 
and 64 batches, the accuracy slightly decreased with the addition of epochs, whereas in trials with 128 
batches, the accuracy slightly increased. Additionally, we discovered that boosting the batch size helped 
hasten the computation. For the proposed BABCN algorithm, increasing the batch size by two could speed up 
computation by 1.3—2.4 times, while for CNN, it could accelerate computation by 1.8—2.4 times. Our long- 
term objective is to create models using the proposed BABCN algorithm. Future deployment of our proposed 
system aims to deliver detection and classification services against various cyber-attacks and intrusions 
within a network of IoT devices (e.g., a network of advanced RISC machines (ARM) or Arduino Raspberry 
Pi nodes). 
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